February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly stopped working in several european countries: Germany, Ukraine, Greece, Hungary, Poland...Germany's Enercon moved forward and acknowledged that approximately 5800 of its wind turbines, presumably those remotely operated via a SATCOM link in central Europe, had lost contact with their SCADA server. In the affected countries, a significant part of the customers of Eutelsat's domestic broadband service were also unable to access Internet.
From the very beginning Eutelsat and its parent company Viasat, stated that the issue was being investigated as a cyberattack. Since then, details have been scarcely provided but few days ago I came across a really interesting video in the following tweet.
In the video, the Commander General Michel Friedling confirms that the incident was originated by a cyberattack. However, he also provides a key detail that has the potential to turn a boring DDoS scenario, as some initially pointed out, into something much more interesting: "the terminals have been damaged, made inoperable and probably cannot be repaired"
Based on the information publicly available and my experience researching into SATCOM terminals I'll try to present a plausible explanation for such a destructive attack.
Please note that this is merely a speculative exercise, although backed by a realistic technical reasoning...anyway probably I'm totally wrong.
Back in 2014 and then in 2018 I presented at BlackHat USA two different papers mainly focused on evaluating the security posture of multiple SATCOM terminals, by uncovering a plethora of vulnerabilities and real-world scenarios across different sectors. Within these papers the reader can find an introduction to the SATCOM architecture, threat scenarios and some technical terms that will be used during this blog post.
In the ground segment of the KA-SAT infrastructure we find 10 gateways distributed across Europe. Please note that the Berlin Gateway is the closest one to Ukraine. Coincidentally, Germany seems to have suffered one the worst parts of the attack.
The satellite coverage is divided into the 82 spot beams, each of them is approximately 300km of diameter. As it can be seen in the following image, there are four types of spot beams which enable approximately 240 MHz in both directions (independently for the Forward and Return channels), thus allowing to re-use the slots of available frequencies (1.95 GHz in total, ~((240Mhz*2)*4)) under different polarizations. This throughput requires using multiple Gateway Earth Stations, geographically separated, for properly providing the service.
An important detail is that the mappings between the spot beams and the gateways are fixed: each gateway handles a set of 10 different beams.
What do we really know about the attack?
However, it is still a 'mystery' who is behind that particular piece of the Ground Station, as Viasat and Eutelsat are apparently in the 'buck-passing' stage.